What should you do to prepare for Phase 2 Audits

Posted: Oct 30, 2014
Share This:

The phase 2 audits will focus on targeting HIPAA Standards that were sources of high numbers of non-compliance in the phase 1 audits. This may include:

  • Risk analysis and risk management
  • Content and timelines of breach notifications
  • Notice of privacy practices
  • Individual access
  • Privacy Standards reasonable safeguards requirement
  • Training to policy and procedures
  • Device/media controls
  • Transmission security

Projections made by OCR for the 2015/16 audit will focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, and any other areas identified by earlier Phase 2 Audits. Phase 2 Audits of business associates will focus on risk analysis and risk management, and breach reporting to covered entities.

Phase 2 Audit Preparation Checklist

Before finalizing the report, OCR will present the organization with a draft audit report to allow management to comment.  Once this has been received, OCR will then take into account management’s response, and a final report will be issued.

To ensure that they are prepared for a potential phase 2 audit, covered entities and business associates should take the following steps:

  • Confirm that a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment) has been completed by the organization
  • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to be completed
  • Ensure that a complete inventory of business associates for purposes of the Phase 2 Audit data requests is in place
  • If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirmation will be required to ensure that the organization has documented (i) the reason that any such addressable implementation standard was not reasonable and appropriate and (ii) details on alternative security measures that were implemented
  • Ensure a breach notification policy has been implemented, and accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards
  • In addition to a website privacy notice, healthcare provider and health plan covered entities should ensure that they have a compliant Notice of Privacy Practices
  • Ensure that your organization has reasonable and appropriate safeguards in place for all forms of PHI, including paper and verbal PHI
  • Confirmation that training on the HIPAA Standards (that are necessary or appropriate for a workforce member to perform his/her job duties) has been provided
  • Confirm that your organization maintains an accurate inventory of information system assets, including mobile devices (also applicable to a bring your own device environment)
  • Confirm that all systems and software that transmit electronic PHI use encryption technology, or provide a documented risk analysis supporting the decision not to employ encryption
  • Confirm that a facility security plan for each physical location that stores or otherwise has access to PHI has been adopted, in addition to any security policies that require a physical security plan
  • Conduct a full review of HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.) to meet HIPAA compliance

To ensure that the sharing of sensitive information within your organization meets HIPAA compliance, contact Sfax today to find out more about our secure cloud-based fax solutions.  You can try Sfax for free